top of page
Search

(59) Windows LAPS - AAD

  • Writer: Mr B SOE way
    Mr B SOE way
  • May 3, 2023
  • 2 min read

Updated: May 3, 2023

Windows Local Administrator Password Solution (Windows LAPS) is a Windows Feature that allows IT Administrators to secure and protect local administrator passwords. This includes automatic rotation of passwords as well as backing up the passwords to Azure Active Directory or Active Directory.


To use Windows LAPS in Intune, ensure you’re using a supported Windows platform:


Windows 10 20H2 and later with April 11, 2023 security updates installed

Windows 11 21H2 and later with April 11, 2023 security updates installed

Windows Server 2019 and later with April 11, 2023 security updates installed


Instructions:

1. Navigate to htttps://portal.azure.com then select Azure Active Directory.

2. Select Devices then select Device Settings.

3. Select Yes for Enable Azure AD Local Administrator Password Solution (LAPS)


4. Navigate to https://endpoint.microsoft.com then create a custom profile


Name: Windows - Enable Built-In Administrator

Platform: Windows 10 and later

Profile type: Custom


Under OMA-URI Settings, enter the following:

Name: Enable Local Administrator

Description: Optional

OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus

Data Type: Integer

Value: 1


This will enable the built-in administrator account to be enabled.




5. Navigate to https://endpoint.microsoft.com then select Endpoint Security then select Account Protection. Select Create Policy then select the following:


Name: Windows - LAPS Policy

Platform: Windows 10 and later

Profile type: Local admin password solution (Windows LAPS)


Configuration Settings:

Backup Directory: Allows you to backup the Local Administrator password to Azure Active Directory or Active Directory.


Administrator Account Name: If configured, the specified account’s password will be managed via the policy. If not specified, the default built-in local administrator account will be located by well-known SID (even if it has been renamed)


Note: if a custom managed local administrator account name is specified in this setting, that account must be created via other means. Specifying a name in this setting will not cause the account to be created.


Password Complexity: Allows an IT admin to configure password complexity of the managed local administrator account.


Password Length: Configure the length of the password. By default the value is 14, the minimum value is 8 and maximum value is 64.


Post Authentication Actions: This setting specifies what LAPS should do with the account after a successful authentication. By default it will log off the managed account and reset the password.


Post Authentication Reset Delay: How long it will wait until it performs the Post Authentication Action that we specified above. Default is 24 hours.


Once it has been applied successfully, you can navigate to Event Viewer.

Application and Services Logs > Microsoft > Windows > LAPS




6. Then navigate to https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesWindowsMenu/~/windowsDevices then search for the device, then select Local admin password then select Show local administrator password.


On the machine, run as a different user.

Enter in:

Username: .\Administrator

Password: Password above.


You have the option to rotate the LAPS admin password
















7. Once this has been executed, navigate to Event Viewer then Application and Services Logs > Microsoft > Windows > LAPS




 
 
 

Comments

bottom of page